Executive Summary
Between July 2021 and November 2022, multiple U.S. businesses—including an engineering firm and a bank—were targeted by the Yanluowang ransomware group, using access broker Aleksei Olegovich Volkov to gain initial entry. Volkov, operating as “chubaka.kor,” exploited vulnerabilities in victim networks, facilitated data theft and encryption, and coordinated ransom payments, some of which totaled $1.5 million. Victims suffered operational disruption, including temporary shutdowns and extortion attempts such as DDoS attacks and executive harassment. Forensic analysis linked the activities to Volkov via cryptocurrency tracing and communication evidence; $24 million in ransoms was demanded in total.
This case highlights growing cooperation among cybercriminals, where access brokers sell or share footholds with ransomware operators, fueling larger-scale, multi-faceted cyber-extortion campaigns. The high-profile prosecution also sets precedent for international arrests and restitution, amid increasingly aggressive ransomware trends and evolving attack tactics.
Why This Matters Now
This incident underscores the escalating sophistication of ransomware operations, particularly through the use of specialized initial access brokers to breach organizations. As multi-stage extortion tactics proliferate and cross-border law enforcement intensifies, businesses face urgent pressure to strengthen internal controls and respond rapidly to reduce risk from similar threats.
Attack Path Analysis
The attacker, acting as an initial access broker, exploited vulnerabilities or misconfigurations to gain unauthorized entry into victim networks. Privilege escalation followed as the attacker increased access within the environment, likely moving from initial foothold to privileged accounts. Lateral movement enabled the attacker and co-conspirators to propagate throughout the cloud and internal infrastructure, targeting critical systems and data sources. Once embedded, the group established command and control channels to coordinate hands-on activity and deliver ransomware payloads. Sensitive data was exfiltrated prior to ransomware deployment, and the attackers followed with data encryption and network disruption, deploying Yanluowang ransomware to maximize extortion leverage.
Kill Chain Progression
Initial Compromise
Description
The attacker identified exposed or vulnerable internet-facing services or obtained stolen access credentials to gain the initial foothold in the target cloud or hybrid network environment.
Related CVEs
CVE-2022-24521
CVSS 7.8A privilege escalation vulnerability in the Windows Common Log File System (CLFS) driver allows attackers to execute arbitrary code with SYSTEM privileges.
Affected Products:
Microsoft Windows – 7 SP1, 8.1, 10, 11, Server 2008, Server 2012, Server 2016, Server 2019, Server 2022
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Phishing
Data Encrypted for Impact
Data Manipulation: Stored Data Manipulation
Exfiltration Over C2 Channel
Endpoint Denial of Service
Obtain Capabilities: Tool
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Authentication for Users and Administrators
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 15
CISA ZTMM 2.0 – Identity Verification and Access Controls
Control ID: Identity Pillar, Maturity Stage 2
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
GLBA – Information Security Program
Control ID: 16 CFR 314.4
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Banking sector faces critical ransomware exposure with encrypted traffic vulnerabilities, requiring enhanced east-west traffic security and zero trust segmentation for financial data protection.
Computer Software/Engineering
Engineering firms targeted by Yanluowang ransomware need multicloud visibility, threat detection capabilities, and secure hybrid connectivity to prevent initial access broker exploitation of vulnerabilities.
Financial Services
Financial services require egress security enforcement and anomaly detection to combat ransomware attacks demanding millions in payments through cryptocurrency transaction monitoring and blockchain analysis.
Computer/Network Security
Network security sector must implement inline IPS capabilities and cloud native security fabric to defend against sophisticated ransomware operations targeting enterprise networking infrastructure.
Sources
- Russian national pleads guilty to breaking into networks for Yanluowang ransomware attackshttps://cyberscoop.com/russian-aleksei-volkov-yanluowang-ransomware/Verified
- Kaspersky experts release decryption tool for Yanluowang ransomwarehttps://www.kaspersky.com/about/press-releases/kaspersky-experts-release-decryption-tool-for-yanluowang-ransomwareVerified
- Cisco confirms May attack by Yanluowang ransomware grouphttps://therecord.media/cisco-confirms-may-attack-by-yanluowang-ransomware-group/Verified
- HC3: Analyst Notehttps://www.hhs.gov/sites/default/files/hc3-top-10-most-active-ransomware-groups-analyst-note-tlpclear-r.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Modern Zero Trust and CNSF controls such as network microsegmentation, east-west traffic policy, layered egress filtering, and in-depth visibility would have constrained or detected the attack at multiple stages, impeding privilege escalation, internal lateral movement, and data exfiltration, while providing timely incident response and reducing blast radius.
Control: Cloud Firewall (ACF)
Mitigation: Automated blocking of unauthorized inbound access attempts.
Control: Zero Trust Segmentation
Mitigation: Limits available scope for privilege abuse by enforcing least-privilege at the network layer.
Control: East-West Traffic Security
Mitigation: Detects and blocks unauthorized internal traffic to prevent unauthorized pivoting.
Control: Inline IPS (Suricata)
Mitigation: Real-time detection and disruption of malicious outbound or C2 traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Restricts data exfiltration via granular outbound policy controls and FQDN filtering.
Rapid detection of encryption and destructive actions enabling immediate containment.
Impact at a Glance
Affected Business Functions
- Engineering
- Banking
- Telecommunications
Estimated downtime: 7 days
Estimated loss: $9,200,000
Sensitive corporate data, including non-disclosure agreements and technical drawings, were exfiltrated. Additionally, employee login information from Active Directory was compromised.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation and east-west policy controls to prevent lateral movement and internal privilege escalation.
- • Apply strict egress filtering and DNS/FQDN controls to block unauthorized data exfiltration, C2, and ransomware dropper activity.
- • Deploy inline IPS/IDS with real-time threat signature inspection to disrupt exploit and command channel usage.
- • Invest in centralized network visibility and threat anomaly detection for rapid detection and response across multicloud and hybrid environments.
- • Mandate encryption of all data-in-transit to mitigate risk of data interception and ensure compliance.
